Android banking trojan marcher targets dozens of apps

Android-targeting banking Trojan Marcher is on the rise, infecting devices via a phishing attack using SMS/MMS, gaining extensive privileges, displaying an overlay window to your banking app and collecting all your data, all the while successfully avoiding your antivirus apps.

According to experts over at Securify, it all starts with a phishing attack using SMS or MMS, with the messages including a link leading to a fake version of a popular app, such as WhatsApp, Runtastic or Netflix, to name a few.

The link, however, doesn’t lead you to the good old Google Play Store, which is safe for the most part, but to a third-party app store. Of course, this doesn’t work if you don’t have the option selected from your phone’s security settings. So, a first step to take care of your data is to not allow downloads from other app stores than the official one. Then, if the app does get downloaded and installed, it will start requesting Android privileges that are uncommon for regular apps, including Device admin. Combined with SMS read/write and Internet permission, this app becomes dangerous, and it’s not what the regular, official app would do. Even if you don’t originally accept all those privileges, the app will nag you until you just say yes to silence it.

“Once accepted Marcher runs in the background as a service and fully controls the device as admin (permission screen attached). Obviously, a fairly significant list of permissions of which many are suspicious, especially when combined,” Han Sahin, co-founder of Securify, told.

Let the damage commence

Once the permissions have been granted, the Marcher banking malware has two goals. The first one is to compromise the out-of-band authentication for online banks that rely on SMS using SMS forwarding. The second is to create an overlay, showing a customized phishing window whenever a targeted app is started on the device. These overlays look pretty much identical with what you’d expect from your banking app, so it’s likely not going to raise any suspicions. This means that the people behind the attack will get your banking credentials, credit card numbers, and so on, which they can use to siphon money either directly or by selling the data to others on the dark web.

So, what kind of permissions does the fake app need? Well, it can change your network connectivity state, send texts, lock the device, start malware when the device boots, view info about the status of your WiFi, edit and delete texts, call phone numbers, intercept texts, and so on. We’ve seen a few of them combined before, in genuine apps, but not all of them at once because that gives the app great control over your device.

Lots of targeted banking apps

The list of targeted banking apps is extremely long and includes, but is not limited to: BAWAG, ErsteBank, Volksbank, Bank Austria, ING DiBA Banking + Brokerage, Raiffeisen, DKB Banking, Santander MobileBanking, Barclays, Bank of Scotland, Lloyds Bank, Halifax, HSBC, Banco de Brasil, ING Direct Australia Banking, Citi Mobile, PayPal, Garanti, and more, with some banks making multiple appearances on the list due to having different apps for different locations. In total, 117 banking apps have a bullseye for Marcher.Other targeted apps for the credit card overlay are Instagram, Play Store, Facebook, Skype, Viber, WhatsApp Messenger, Gmail, and Amazon Shopping.

Bypassing the antivirus

The worst part about this is that even if you have an antivirus app on your device, it’s likely that it won’t even matter. The malware uses a simple technique by looking for any such apps on your device and if it’s running. If it does, the malware forces the phone back to the home screen. Therefore, even if the app does notice the malware infection, it can’t remove it until you give it permission. With you finding it impossible to actually see your AV interface, you can’t give the go-ahead.

The list of antivirus apps that can be bypassed is quite long and includes well-known names such as Norton, BitDefender, Kaspersky, AVG, Avast, and Avira, as well as other well-known tools such as CCleaner, Dr.Web Light, CM Security AppLock Antivirus, and more. Since the app gets permission to send texts, you are quite likely to unknowingly invite your friends to download the spoofed apps as well and to help infect them too. Based on stats from Securify, nearly 5,700 German and nearly 2,200 French mobile devices have been infected, out of the total 11,000. Most of the infected devices are running Android 6.0.1.

Protect your data

So, what to do if you figure out, somehow, that your device is infected? Uninstalling the service is impossible since that has been disabled beforehand. The only way to get your device back is to perform a factory reset, as Han Sahin confirmed.The best, however, is to not tap on all links you receive via text, even if they come from the friends you trust. Even if you click on that link, don’t just install apps from unknown sources.

“Be vigilant when installing new applications on your device that does not match with the permissions that it needs. Obviously, a fairly significant list of permissions of which many are suspicious, especially when combined. For example, Device Admin, SMS read/write and internet permissions are not what WhatsApp or a simple Runtastic app would require. More importantly, disable ‘Unknown Sources’ setting,” stressed Han Sahin.

“It is not uncommon for Android users to be tricked into clicking on malicious SMS-distributed URLs that redirect towards third-party marketplaces that disseminate malware. While by default Android devices do not support the installation of applications outside Google Play, these websites sometimes display step-by-step instructions into how to disable that feature. They sometimes even fictively scan the user’s device and display various warnings and popups, such as fake security updates, building a sense of urgency and necessity for installing the malicious app,” a spokesperson told us.

Unfortunately, there's not much Bitdefender can do in this situation. Their advice is to only install apps from the official app stores, as they're usually vetted. Also, before installing any new app, it's good practice to go through its user reviews, as shady behavior is often reported by the community. “Using a security solution is also considered best practice as it can prevent users from visiting fraudulent or malicious websites that disseminate malware,” they added.

That being said, the folks over at Bitdefender tested all the strains found by Securify and said the antivirus correctly marks them as malware. However, due to the way the malware acts by making it impossible to display the actual antivirus interface in order to allow users to remove it, it can't do much to fix the situation. This is all due to how Android itself is built, not allowing apps to perform actions without the users' express consent, which is understandable since that's typical malware behavior.

"Mobile banking Trojans actively developed throughout last year, featuring new features and capabilities, including the means to bypass the security mechanisms of Android. For instance, the Marcher family, instead of implementing the usual banking applications’ overlay, redirected users from financial institutions’ websites to phishing pages. However, this technique won’t work on the most recent Android versions. In 2016, Trojan-Banker.AndroidOS.Marcher was listed among the most actively distributed malware samples in Australia," Roman Unuchek, Senior Malware Analyst told us.